rhadamanthys | f4de4f89d51790fbcc5e69d1daec304ac0433179973bfcb1828c8691a0dc5e84

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.msi
Size

680KB
MD5

3035101d044a4425dbd5a523ace428c3
SHA1

f08ecf54bb93077fc32cef5f6915ce569e38bed1
SHA256

f4de4f89d51790fbcc5e69d1daec304ac0433179973bfcb1828c8691a0dc5e84
SHA512

d60db29c92f219c9f69debc1ad1c50cf74b858c2e9e2bd4ed00f2bb6e1e9c8bbf7e9240ec11cc7e46cafc2a0651a462f2c6c1c42824b913bedf747a1b1dae9d0
SSDEEP

12288:z6hgTBOyy3AhX+JP4OduQDNZ4hxUxBjcyHnUaK6BpefgRY1bHzv7F/EfO:W+dIu+zduQDD4hxUYy0Z6B4flbHLtEW

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 7 IoCs

resource	yara_rule
behavioral2/memory/4084-168-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys
behavioral2/memory/4084-170-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys
behavioral2/memory/4084-169-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys
behavioral2/memory/4084-171-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys
behavioral2/memory/4084-182-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys
behavioral2/memory/4084-187-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys
behavioral2/memory/4084-189-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4084 created 2596	4084	Setup.exe	51

Executes dropped EXE 4 IoCs

pid	Process
3468	Setup.exe
4464	Setup.exe
4948	Setup.exe
4084	Setup.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 4084	3468	Setup.exe	99

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF136.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f02e.msi	msiexec.exe
File created	C:\Windows\Installer\e57f02c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f02c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
808	msiexec.exe
808	msiexec.exe
4084	Setup.exe
4084	Setup.exe
4084	Setup.exe
4084	Setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4884	msiexec.exe
Token: SeSecurityPrivilege	808	msiexec.exe
Token: SeCreateTokenPrivilege	4884	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4884	msiexec.exe
Token: SeLockMemoryPrivilege	4884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4884	msiexec.exe
Token: SeMachineAccountPrivilege	4884	msiexec.exe
Token: SeTcbPrivilege	4884	msiexec.exe
Token: SeSecurityPrivilege	4884	msiexec.exe
Token: SeTakeOwnershipPrivilege	4884	msiexec.exe
Token: SeLoadDriverPrivilege	4884	msiexec.exe
Token: SeSystemProfilePrivilege	4884	msiexec.exe
Token: SeSystemtimePrivilege	4884	msiexec.exe
Token: SeProfSingleProcessPrivilege	4884	msiexec.exe
Token: SeIncBasePriorityPrivilege	4884	msiexec.exe
Token: SeCreatePagefilePrivilege	4884	msiexec.exe
Token: SeCreatePermanentPrivilege	4884	msiexec.exe
Token: SeBackupPrivilege	4884	msiexec.exe
Token: SeRestorePrivilege	4884	msiexec.exe
Token: SeShutdownPrivilege	4884	msiexec.exe
Token: SeDebugPrivilege	4884	msiexec.exe
Token: SeAuditPrivilege	4884	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4884	msiexec.exe
Token: SeChangeNotifyPrivilege	4884	msiexec.exe
Token: SeRemoteShutdownPrivilege	4884	msiexec.exe
Token: SeUndockPrivilege	4884	msiexec.exe
Token: SeSyncAgentPrivilege	4884	msiexec.exe
Token: SeEnableDelegationPrivilege	4884	msiexec.exe
Token: SeManageVolumePrivilege	4884	msiexec.exe
Token: SeImpersonatePrivilege	4884	msiexec.exe
Token: SeCreateGlobalPrivilege	4884	msiexec.exe
Token: SeBackupPrivilege	2492	vssvc.exe
Token: SeRestorePrivilege	2492	vssvc.exe
Token: SeAuditPrivilege	2492	vssvc.exe
Token: SeBackupPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4884	msiexec.exe
4884	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 4152	808	msiexec.exe	93
PID 808 wrote to memory of 4152	808	msiexec.exe	93
PID 808 wrote to memory of 3468	808	msiexec.exe	95
PID 808 wrote to memory of 3468	808	msiexec.exe	95
PID 808 wrote to memory of 3468	808	msiexec.exe	95
PID 3468 wrote to memory of 4464	3468	Setup.exe	97
PID 3468 wrote to memory of 4464	3468	Setup.exe	97
PID 3468 wrote to memory of 4464	3468	Setup.exe	97
PID 3468 wrote to memory of 4948	3468	Setup.exe	98
PID 3468 wrote to memory of 4948	3468	Setup.exe	98
PID 3468 wrote to memory of 4948	3468	Setup.exe	98
PID 3468 wrote to memory of 4084	3468	Setup.exe	99
PID 3468 wrote to memory of 4084	3468	Setup.exe	99
PID 3468 wrote to memory of 4084	3468	Setup.exe	99
PID 3468 wrote to memory of 4084	3468	Setup.exe	99
PID 3468 wrote to memory of 4084	3468	Setup.exe	99
PID 3468 wrote to memory of 4084	3468	Setup.exe	99
PID 3468 wrote to memory of 4084	3468	Setup.exe	99
PID 3468 wrote to memory of 4084	3468	Setup.exe	99
PID 4084 wrote to memory of 4248	4084	Setup.exe	100
PID 4084 wrote to memory of 4248	4084	Setup.exe	100
PID 4084 wrote to memory of 4248	4084	Setup.exe	100
PID 4084 wrote to memory of 4248	4084	Setup.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2596
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4884
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  PID:4248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4152
- C:\Users\Admin\AppData\Local\Software Installer\Setup.exe
  "C:\Users\Admin\AppData\Local\Software Installer\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Local\Software Installer\Setup.exe
    "C:\Users\Admin\AppData\Local\Software Installer\Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:4464
- - C:\Users\Admin\AppData\Local\Software Installer\Setup.exe
    "C:\Users\Admin\AppData\Local\Software Installer\Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:4948
- - C:\Users\Admin\AppData\Local\Software Installer\Setup.exe
    "C:\Users\Admin\AppData\Local\Software Installer\Setup.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f02d.rbs

Filesize
8KB

MD5
7b1104e1c6231baff86b4715dc52628b

SHA1
19d24519608465b1c085df41f9b77a638ff73393

SHA256
2f73ebb631b1e3b4c383330b323d09c23540ad9cb7ede0c0ec16cc67865e3e96

SHA512
ae2b754983808c9686ad86a2b6078aa7d01f5b7ce56dc3253bd408e1782011ee84ea8e2b7bb012ff40749e7468ee0db306d290b8c8863f1e347b79c3dc529da6

Download Submit
C:\Users\Admin\AppData\Local\Software Installer\Setup.exe

Filesize
371KB

MD5
2cfed8e9b117e80c7645c40e6dc0abc9

SHA1
cea302664bdd9f01473ca25d0863f926a74bca42

SHA256
260bac5419a77db5138a3da5140e86c679d001baccbcde4b626c139ee2c4e0ee

SHA512
88a21294d04284bd09a0237edc1df95c086dc5c19bcbfe0e4c4ebce030634ee0946f41eeb3e6a7ab7caf07eb863aff5b61de5440c1ab512a36ecf85323b302d1

Download Submit
C:\Users\Admin\AppData\Local\Software Installer\Setup.exe

Filesize
371KB

MD5
2cfed8e9b117e80c7645c40e6dc0abc9

SHA1
cea302664bdd9f01473ca25d0863f926a74bca42

SHA256
260bac5419a77db5138a3da5140e86c679d001baccbcde4b626c139ee2c4e0ee

SHA512
88a21294d04284bd09a0237edc1df95c086dc5c19bcbfe0e4c4ebce030634ee0946f41eeb3e6a7ab7caf07eb863aff5b61de5440c1ab512a36ecf85323b302d1

Download Submit
C:\Users\Admin\AppData\Local\Software Installer\Setup.exe

Filesize
371KB

MD5
2cfed8e9b117e80c7645c40e6dc0abc9

SHA1
cea302664bdd9f01473ca25d0863f926a74bca42

SHA256
260bac5419a77db5138a3da5140e86c679d001baccbcde4b626c139ee2c4e0ee

SHA512
88a21294d04284bd09a0237edc1df95c086dc5c19bcbfe0e4c4ebce030634ee0946f41eeb3e6a7ab7caf07eb863aff5b61de5440c1ab512a36ecf85323b302d1

Download Submit
C:\Users\Admin\AppData\Local\Software Installer\Setup.exe

Filesize
371KB

MD5
2cfed8e9b117e80c7645c40e6dc0abc9

SHA1
cea302664bdd9f01473ca25d0863f926a74bca42

SHA256
260bac5419a77db5138a3da5140e86c679d001baccbcde4b626c139ee2c4e0ee

SHA512
88a21294d04284bd09a0237edc1df95c086dc5c19bcbfe0e4c4ebce030634ee0946f41eeb3e6a7ab7caf07eb863aff5b61de5440c1ab512a36ecf85323b302d1

Download Submit
C:\Users\Admin\AppData\Local\Software Installer\Setup.exe

Filesize
371KB

MD5
2cfed8e9b117e80c7645c40e6dc0abc9

SHA1
cea302664bdd9f01473ca25d0863f926a74bca42

SHA256
260bac5419a77db5138a3da5140e86c679d001baccbcde4b626c139ee2c4e0ee

SHA512
88a21294d04284bd09a0237edc1df95c086dc5c19bcbfe0e4c4ebce030634ee0946f41eeb3e6a7ab7caf07eb863aff5b61de5440c1ab512a36ecf85323b302d1

Download Submit
C:\Users\Admin\AppData\Local\Software Installer\setup1.bin

Filesize
456KB

MD5
63917716c9c06309ad732c1e03a8810b

SHA1
34f770380fa79a8069d50f8a38bb49d40fb8c67d

SHA256
8819b5ddee35390103144f90d75523b6678be9f9803dfd633e7c15116afe0bec

SHA512
f13c915a1e937530667bef73edd5e47470cc5453d42fcfed5917f3defc417b835f043fcffcd2866b9af04446c77b152b5f3dc74afa88c43e070955678c64ab24

Download Submit
C:\Windows\Installer\e57f02c.msi

Filesize
680KB

MD5
3035101d044a4425dbd5a523ace428c3

SHA1
f08ecf54bb93077fc32cef5f6915ce569e38bed1

SHA256
f4de4f89d51790fbcc5e69d1daec304ac0433179973bfcb1828c8691a0dc5e84

SHA512
d60db29c92f219c9f69debc1ad1c50cf74b858c2e9e2bd4ed00f2bb6e1e9c8bbf7e9240ec11cc7e46cafc2a0651a462f2c6c1c42824b913bedf747a1b1dae9d0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
ce7e8a7b4590387d359da91cdb832bcc

SHA1
8ae26a055691fc56714d864cc8599bc76bc9709a

SHA256
451b79b68c107bda209a75200cbe2bba5c93ea66141941e90e48ec5a8875e9da

SHA512
9dd189bbd2f3505e8f142ea277b4b530b1e59d99ad47db1e57b2c2654e24014e16289c48e8dfe62e2cf5940777d064ad3c192c4c80234da0329aa29b99c56e65

Download Submit
\??\Volume{1f21c27e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{91e34e14-28a2-43eb-ae33-d8523d10a9ad}_OnDiskSnapshotProp

Filesize
5KB

MD5
f5007ae3d1ca38b76415678fc8f37870

SHA1
be47a7da3e36249049b36ad1d905715645dccea7

SHA256
743e36e9a7592fb0f21c73fcf31d7ba5a2f5e513149d047272c68a66e9fa06f4

SHA512
1c0ec8f43f4ab9328f07aca90c4c4ce4f42736bb0e147be1d5a2cfbc3309e2783a2292de2059d0ad7668204cba2963c5450a39e165acd09de543eb959fe55be1

Download Submit
memory/4084-168-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/4084-162-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4084-166-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4084-170-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/4084-169-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/4084-171-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/4084-165-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4084-167-0x0000000000DE0000-0x0000000000DE7000-memory.dmp

Filesize
28KB

Download
memory/4084-189-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/4084-175-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4084-176-0x0000000003730000-0x0000000003766000-memory.dmp

Filesize
216KB

Download
memory/4084-182-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/4084-186-0x0000000003730000-0x0000000003766000-memory.dmp

Filesize
216KB

Download
memory/4084-187-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/4084-188-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4248-174-0x000001DE96940000-0x000001DE96943000-memory.dmp

Filesize
12KB

Download